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Abstract. In this paper, we propose pretty simple password-authenticated 
key-exchange protocol which is based on the difficulty of solving DDH 
problem. It has the following advantages: (1) Both yi and y2 in our pro- 
tocol are independent and thus they can be pre-computed and can be 
sent independently. This speeds up the protocol. (2) Clients and servers 
can use almost the same algorithm. This reduces the implementation 
costs without accepting replay attacks and abuse of entities as oracles, 
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1 Introduction 

We consider the following situation. Two entities, at least one of them is a human, 
beforehand share a human memorable password, which is secure against on-line 
(and serial) exhaustive searches, but vulnerable against off-line (and parallel) 
exhaustive searches. Human entities have only passwords in mind and have no 
unmemorable secrets, such as private- keys, public-keys (or fingerprints of them), 
secret information to use ID-based cryptosystems. Two entities run a protocol 
and share a new secret (we call it keying material) that is secure against off-line 
exhaustive searches. The shared keying material is then used to generate keys 
for identifying the other entity and then establishing a secure channel (where 
secrecy and/or data integrity are provided). 

While such secure channels can be established using public-keys like SSH 
and SSL, users must verify the validity of the public- keys used in them (using 
signature- verification keys or fingerprints of the public-keys). For ordinal users, 
it is very troublesome to carry them anywhere and anytime, and then perform 
verification. Due to this troublesomeness, users may skip the verification of the 
public- keys and weaken the security of it. 

Password-authenticated key-exchanges are very convenient for users (espe- 
cially when they log in their own servers remotely with their hands empty) since 
they do not need to carry any verification-keys or fingerprints with them and 
do not need to verify the public-keys for PKI Q While such protocols have been 
proposed in [||J|,^,||,||j^,^,|| , most of them are a little bit complicated. 

One of the advantages of PKI is that unknown users can communicate securely. 



In this paper, we propose pretty-simple protocol which is based on the diffi- 
culty of solving DDH problem. It has the following advantages: (1) Both yi and 
2/2 are independent and thus they can be pre-computed and sent independently. 
This speeds up the protocol without leaking the information on the passwords. 
(2) Clients and servers can use almost the same algorithm. This reduces the 
implementation costs without accepting replay attacks and abuse of entities as 
oracles. 

2 Our Protocol 

Our protocol is defined over a finite cyclic group Q —< g > where = g and 
g is a large prime (or a positive integer divisible by a large prime). While Q can 
be a group over an elliptic curve, in this paper we assume Q in a, prime order 
subgroup over a finite field Fp. 

Both g and h are two generators of Q, chosen so that its DLP (Discrete 
Logarithm Problem), i.e. calculating 

a = logg /i, (1) 

should be hard^ for each entity. Both g and h may be chosen as system param- 
eters or chosen with the negotiation between entities. For example, g may be 
a random generator of Q and h := Hash{g)^P~^^/'^ mod p, or a client chooses 
g := g^^ for a random si 6 (Z/qZ)* where gt is a random generator of G, and 
then sends its commitment Hash{g) to a server, the server replies h := g^^ for 
a random S2 G (Z/qZ)*, and finally the client reveals g to the server. 

The protocol consists of the following two phases: a secrecy-amplification 
phase and a verification phase. 

In the secrecy- amplification phase, the secrecy of a pre-shared weak secret, 
i.e. a human memorable password that may be vulnerable against off-line attack, 
is amplified to a strong secret, i.e. a keying material that is secure even against 
off-line attack. In the verification phase, an ordinal challenge-response protocol 
is used to verify whether the other entity has the same secret or not. The point 
to notice is that challenges should be chosen to be unique at every session and 
at every entity, and to be uncontrollable by an entity in one side to avoid replay 
attacks and abuse of one entity in the other side as an oracle. 

Both phases are describe as follows. 

2.1 Secrecy- Amplification Phase 

The secrecy-amplification phase is illustrated in Fig. 0. A client chooses a random 
number ri G (Z/qZ)* and then calculates j/i :— g^^ ■ h^'^^'^^ using its password 
passc- It sends yi to a server. The server also calculates y2 := g^^ ■ /iP'"'*^ using 
its password passs and a random number r2 G (Z/qZ)* , and then sends it to the 

^ Since we assume the DDH (Decision Diffie-Hellman) problem is hard, it is reasonable 
to assume that DLP is also hard. 



Client (Alice) 

ri e {Z/qZy 



Server (Bob) 

r2 e [Z/qZy 



2/2 := ff""' • ft''""'''' 

kmc = (2/2 • /i-f»-<=)'-i < fcm, = (j/i • /i'^'^'^') 

Fig. 1. Secrecy-amplification phase of our protocol 

client Now, the client's keying material is kruc = (2/2 ■ h^P°-^'^^ y"^ and the server's 
one is krus = (yi • /i-p«««s ^2 _ 

Only when they run the protocol using the same password, they can share 
the same keying material. Otherwise distinguishing the other's one is as hard as 
solving DDH problem that is defined as follows: 

Definition 1 (DDH problem^ Given gt and d = {di,d2, d^) = {g^^ , g^^,g^ 
where x^^ is either X1X2 or not with probability 1/2, then decide whether g^^ = 
gl^""^ or not. 

One of the advantages of this protocol is that both yi and j/2 arc independent 
and thus they can be pre-computed and sent independently. This means the 
servers can transmit y^ first (or before it receives y{). This speeds up the protocol 
without leaking the information of the passwords since they are masked with 
random numbers r2 (or ri). 

Another advantage is that both the clients and the servers can use almost 
the same algorithm. This reduces the implementation costs without accepting 
replay attacks and abuse of entities as oracles since (2/1,2/2) cannot be controlled 
by one entity and it is unique at every sessions and entities. 

2.2 Verification Phase 

Whether the other entity shares the same keying material with me is verified 

in this phase as follows: Both the client and the server exchange vi := 
KHkmXTags\\yi\\y2) and V2 := KHkmATagc\\yi\\y2) each other where vi is 
generated by the server and V2 is generated by the client respectively, KHk{) is a 
keyed hash function whose key is k. Both Tags and Tagc are pre-determined dis- 
tinct values, e.g. Tags = and Tagc = 1 • The client verifies Vi = KHkmc {Tags I Iz/i 1 1 
and the server verifies V2 = K HkmATagc\\yi\\y2) ■ 

Similarly to the secrecy-amplification phase, both vi and V2 can be trans- 
mitted independently each other. (This verification phase may be skipped if 
data-integrity is provided after the secrecy-amplification phase using the shared 
keying material.) 

While adversaries can perform exhaustive searches for the keying material 
using vi or V2, that is not a matter if strong secret can be shared at the secrecy- 
amplification phase and no efficient algorithm is known to find the key k of 



KHk{) than exhaustive searches. The latter property can be satisfied using prac- 
tical functions, such as HMAC so far, and then KHk{) does not need to be 
a random oracle. 

3 Conclusion 

We proposed pretty simple password-authenticated key-exchange protocol which 
is base on the difficulty of solving the DDH problem. 

Our protocol has the following advantages: (1) both yi and 1/2 are indepen- 
dent and thus they can be pre-computed and sent independently. This speeds 
up the protocol, but does not leak the information on the passwords since they 
are masked with random numbers ri (or r2). (2) Clients and servers can use 
almost the same algorithm. This reduces the implementation costs, but does not 
weaken the security against replay attacks and abuse of entities as oracles since 
(j/ii 2/2) cannot be controlled by one entity and it is unique at every sessions and 
entities. 
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